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Abstract — Many basic key distribution schemes specifically 
tuned to wireless sensor networks have been proposed in the 
literature. Recently, several researchers have proposed schemes 
in which they have used group-based deployment models and 
assumed predeployment knowledge of the expected locations 
of nodes. They have shown that these schemes achieve better 
performance than the basic schemes, in terms of connectivity, 
resilience against node capture and storage requirements. But in 
many situations expected locations of nodes are not available. In 
this paper we propose a solution which uses the basic scheme, but 
does not use group-based deployment model and predeployment 
knowledge of the locations of nodes, and yet performs better than 
schemes which make the aforementioned assumptions. 

In our scheme, groups are formed after deployment of sensor 
nodes, on the basis of their physical locations, and the nodes 
sample keys from disjoint key pools. Compromise of a node 
affects secure links with other nodes that are part of its group 
only. Because of this reason, our scheme performs better than the 
basic schemes and the schemes using predeployment knowledge, 
in terms of connectivity, storage requirement, and security. 
Moreover, the post-deployment key generation process completes 
sooner than in schemes like LEAP+ [10]. 

Keywords -Security; Key Distribution; Sensor Networks 

I. Introduction 

Due to advances in technology, it is now possible to have 
low-cost, stand-alone sensor and actuator devices that can 
communicate through the wireless medium. Such devices 
have applications in areas like epidemic detection, biological 
attack detection, intruder detection. In some applications, 
these sensor nodes are deployed in hostile environments, and 
therefore security of communication becomes critical. To pro- 
vide security, well-developed public key cryptographic meth- 
ods have been considered, but these are compute-intensive 
and too demanding for resource-constrained devices [4]. So, 
symmetric key based encryption is the only way for secure 
communication between nodes. However, to do that, two nodes 
should agree upon a common key first. For this, various key 
distribution schemes have been proposed in the literature. Es- 
chenauer and Gligor [6] proposed a random key predistribution 
scheme, referred to as the basic scheme or EG scheme. Based 
on this scheme, various improvements have been proposed in 
the literature [2], [3], [9], [11], [12]. 

Recently, there has been research on key distribution 
schemes which make use of predeployment knowledge of 



expected locations of the nodes, and these schemes are shown 
to perform better than the basic schemes. But in some cases 
predeployment knowledge is not available, so in [5] Liu et.al. 
proposed a scheme which uses group-based deployment model 
and showed that their scheme is better than the basic schemes. 
Although in [1], Anjum proposed a scheme which does not 
use predeployment knowledge of the nodes, and group-based 
deployment model, the scheme requires some nodes which can 
transmit at different power levels. 

Our scheme also uses the same concept of groups as 
used by [1], [5], [13] but we have dropped the assumptions 
of predeployment knowledge of expected locations of nodes 
and group-based deployment. Moreover, our scheme does not 
require nodes which can transmit messages at different power 
levels. 

Our contributions in this paper are as follows. 

> We propose a scheme, in which nodes form groups after 
deployment on the basis of their physical locations, and 
generate keys which depend on the group they are part 
of. Each group is assigned a key pool and no two key 
pools have a common key. If a node is compromised, 
then it can affect communication in its group only; so 
the proposed scheme is more resilient to node capture 
than the basic schemes. 

> We show using simulations that our scheme performs 
better than the basic scheme [6] and the schemes which 
assume pre-deployment knowledge of node locations 
[13]. Our scheme assumes that there exists some constant 
time before which the adversary is unable to extract keys 
from the nodes, as assumed in [1], [10]. We show that 
this time can be considerably less for our scheme than 
that in [10], with certain tradeoff. 

> We also look at the problem of connectivity of the key 
graph formed when our scheme is followed. This problem 
is studied in the framework of the "AB random geometric 
graph" [16]. Using results in [16], the number of tagged 
nodes is calculated such that the whole key graph is 
connected with high probability. 

The rest of this paper is organized as follows. In Section ITT1 
we discuss related work. Section [III] describes our proposal. 
Section [IV] gives the expressions for the parameters ensuring 



9781^t244-3941-6/09/$25.00 © 2009 IEEE 



connectivity of the key graph. Section [V] gives the compar- 
ison with the scheme proposed by Du.et.al [13]. Section |VJ 
describes other applications where our scheme could be useful. 
Section [VlTI concludes the paper. 

II. Related Work 

Various key distribution schemes have been proposed in 
the literature for wireless sensor networks, keeping in view 
the resource-constrained devices used in these networks. Es- 
chenauer and Gligor [6] proposed a scheme in which for every 
node, keys are picked randomly (with replacement) from a 
key pool and assigned to it before deployment; this scheme is 
known as the basic or EG scheme. After key discovery, two 
neighbor nodes that have a common key use that as the key 
for secure communication. Based on this basic scheme, several 
schemes with enhanced security features have been suggested 
in [1], [3], [7], [12], [13]. 

There is another class of schemes called "threshold 
schemes." In these schemes, all nodes can communicate with 
one another, and no communication is compromised until 
some fixed number of nodes is compromised. Blundo et.al. 
[3] and Blom [2] proposed such threshold schemes. Blundo's 
scheme uses symmetric bivariate polynomials to obtain pair- 
wise keys, while Blom's scheme also uses a similar idea, 
in which symmetric matrices are used instead of symmetric 
polynomials. 

Du et. al. [12] improve upon Blom's scheme by combining it 
with the random key distribution scheme. Similarly, Liu and 
Ning [9] improve upon Blundo's [3] scheme by combining 
it with random key distribution scheme. Both these schemes 
perform better than the EG scheme [6] in terms of connectivity 
and resilience against node capture. But threshold schemes do 
not scale with the number of nodes in the network. For a 
fixed resilience against node capture, if the number of nodes 
is increased, then they require large memory. 

In any sensor network, generally nodes need to talk to their 
neighbor nodes only. So it is quite intuitive that nodes which 
are near should share the same key pool. This will lead to 
more efficient use of memory, and will give better connectivity 
and better resilience against node capture. Because of this 
reason, various location-based key distribution schemes have 
been proposed. 

Du et.al. [13] and Liu and Ning [8] independently proposed 
schemes which assume predeployment knowledge of expected 
locations of the nodes. Nodes are assumed to be deployed 
in groups (group-based deployment model) and nodes in the 
same group have the same expected location, so that after 
deployment, they lie close to one another. Further in [13], 
nodes in the same group are allocated keys from the same 
key pool, while the groups which lie far from each other are 
allocated disjoint key pools. Therefore, compromise of any 
node jeopardises transmissions of nearby nodes only. Due to 
this reason, performance is better than that of the EG scheme. 

All the location-based schemes which depend on the knowl- 
edge of expected locations of nodes perform well, but they are 
all prone to estimation errors in the expected positions of the 



nodes. So other schemes which do not assume predeployment 
knowledge of the expected locations of the nodes have been 
proposed. 

In [5], Liu et.al. proposed a scheme which does not use 
expected locations of the nodes but still uses group-based 
deployment. This scheme proposes a framework, and any 
basic scheme like random key distribution or polynomial- 
based scheme can be used with this framework. The authors 
showed that basic schemes used with their proposed frame- 
work perform better than when used alone. 

Further, Anjum [1] removed the assumption of group- 
based deployment model and also removed the assumption 
of knowledge of expected locations of nodes. He showed that 
the scheme performs better than the basic scheme; but the 
scheme requires nodes which can transmit at different power 
levels. In this scheme there are some special nodes which 
generate different random numbers (nonces) and transmit them 
at different power levels. Nodes receiving the same nonce 
can communicate, provided they are neighbors. Our scheme 
is different from this scheme, since we do not require the 
presence of nodes which can transmit at different levels. 
Instead of using different power levels, our scheme uses TTL 
scoping. In TTL scoping, after the deployment phase, some 
nodes transmit a broadcast packet containing the TTL (Time 
to Live) field, similar to that of IP packets in data networks. 

In addition, our scheme is also different in the way nodes 
choose their key rings. In [1], on receiving the nonce, nodes 
map it to some different value. In contrast, in our scheme, 
some nodes transmit their id, and corresponding to every id 
there is an associated key pool. Nodes sample keys from the 
key pool corresponding to the received id. The main advantage 
of doing this is the improved resilience against node capture. 
In [1], all nodes receiving the same nonce use the same key 
for secure communication; so if any node is compromised, 
all the secure links formed by the nonce received by this 
node will be compromised. On the other hand, in our scheme, 
communication with other nodes is compromised with some 
probability only, because nodes receiving the same id sample 
keys from the key pool instead of using the same key. 

III. Proposed Scheme for Key Generation and 
Discovery 

In this paper, we consider static sensor networks. Nodes 
are uniformly distributed across the deployment region. We 
use the following cryptographic primitives: 

• Pseudo Random Number Generator (PRNG) — This is 
a deterministic function, which takes an n bit number as 
input and produces output of m > n pseudorandom bits: 

/ : {0, 1}" - {0, l} m (1) 

• Hash function — This is a deterministic function which 
takes an input of any length and returns a number of 
fixed bit-size. Given the output of the hash function, one 
cannot find the input and it is highly unlikely that for two 
different inputs, the output is same: 

h:{0,l} n ^{0,1} C (2) 



where n is variable, and c is fixed. 
A. Description of our scheme 

In our scheme, all nodes are divided into two sets: the 
"tagged node" set and the "normal node" set. Tagged nodes 
are similar to normal nodes in terms of memory, storage, 
and transmission range. They are deployed in the same way 
as normal nodes. The difference is that tagged nodes are 
programmed to broadcast a packet after the deployment phase 
is over. Subsequently, tagged nodes behave like normal nodes. 

Once deployment is over, a tagged node broadcasts a packet 
with TTL value H. Nodes within distance Hr from the 
tagged node receive this packet, and all these nodes associate 
themselves in one group. Different groups are associated with 
disjoint key pools, and nodes in a group "sample" keys 
from the same key pool. Since we are using disjoint key 
pools, so compromise of any node results in compromise of 
communications in its group only; in this way localization of 
the effects of node compromise is achieved. 

Our scheme relies on the assumption that the adversary will 
not be able to extract keying material from a captured node 
before a small time interval has elapsed. This is a reasonable 
assumption because breaking into a node and extracting keying 
material will take some time. The same assumption has been 
made in [10] and [1]. 

Our scheme consists of the following four phases: 

• Predeployment Phase 

• Broadcast Phase 

• Key Generation Phase 

• Shared Key Discovery Phase 

1 ) Predeployment Phase: In this phase, two keys are stored 
in the nodes. 

« Global key (K g ): This is common to all the nodes and is 
used for authentication and encryption of packets during 
the broadcast phase. 

• Root Key (K r ): This key is a single key stored in all 
the nodes. It is used to derive the other keys during 
the key allocation phase; this procedure is explained 
subsequently. 

2) Broadcast Phase: After nodes are deployed, all tagged 
nodes broadcast a packet up to H hops, containing two 
fields: Tagged node id field and Hop count field. Each node 
(both normal and tagged node) receiving this packet fetches 
the tagged node id from the packet, and compares it with 
previously stored tag ids. If there is no match with any of the 
previously stored tag ids, then its value is stored. Then, the 
hop count value is fetched from the packet and its value is 
decreased by 1, If, after decreasing, the value is 0, then the 
packet is discarded; otherwise, the packet is broadcast again 
with the new value of the hop count. This broadcast packet 
is encrypted and authenticated using the global key (K g ). All 
nodes are able to decrypt and authenticate this packet since 
this key is stored in all the nodes. After the end of this phase, 
all nodes which are within distance Hr from the tagged node 
receive the packet. In this way, all the nodes are divided into 
groups, on the basis of their physical locations. 



Consider a tagged node j. It will broadcast a packet with 
tagged node id field set to j. All nodes within the radius 
of Hr of this tagged node will receive this packet and 
associate themselves with tagged node id j. All these nodes 
will consider themselves as a part of group Gj. So there will 
be a group corresponding to each tagged node. We note that, 
since a node can receive broadcasts from more than one tagged 
node, a node can be part of multiple groups. 

There is a key pool corresponding to each group and each 
node samples k keys from the key pool of each group to which 
it belongs. Since a node can be part of multiple groups, so 
different nodes can choose different key ring sizes. To bound 
the number of keys chosen by any node, a limit is put on the 
number of key pools from which a node samples keys. Let 
Tkey be the maximum number of groups to which a node can 
belong. 

We define two sets for any node u, B u and T u . B u contains 
all the distinct tagged node ids received during the broadcast 
phase. T u is a subset of B u . A selects T^ ey tag ids out of the 
received tag ids, and the set T u contains these selected values. 

Randomly selecting the tagged node ids from B u is not 
the best thing to do. Consider an example with Tkey — 1. If 
two neighbor nodes receive broadcasts from the same 4 nodes, 
then on randomly selecting the tag id, the probability that both 
choose the same tagged node id is 1/ 4. But if both the nodes 
plan to choose the least tag node id, then with probability 1 
they will choose the same tag node id. And intuitively one 
can say that two neighbor nodes are more likely to receive 
broadcasts from the same set of tagged nodes. So we set the 
selection criterion as: Node u selects the smallest Tkey tagged 
node ids from the set B u . 

3) Key Generation Phase: Once the broadcast phase is 
over, nodes select Tk ey smallest tag ids from the received tag 
ids. If we consider node u, then it is a part of groups in the 
set G u = {Gj,Vj eT„). After the node has associated itself 
with the groups, it has to sample keys from the key pools 
corresponding to the selected groups. One way to do this is 
to store all the key pools in all the nodes before deployment, 
but this is not feasible because of memory constraints. So we 
propose a way in which nodes can compute the keys such 
that it is equivalent to first selecting the key pools and then 
sampling keys from them. 

Let Pj be the key pool associated with tag id j or group id 
j. The pool is generated by using [3] 

P 3 ■ = {h{K G] \\i),\ <i< M} (3a) 
K G .=h j (K r ) (3b) 

Here, (||) represents the concatenation operator, M is the 
key pool size per group, K r is the root key as defined earlier 
and hP{K r ) represents j hash operations on K r ; for example 
h 2 {K r ) = h{h{K r )). 

However, instead of deriving the key pool and then sampling 
the keys, one can first select k numbers uniformly distributed 



in the range from 1 to M, (called Key Indices), and then 
applying the function h(KG,\\i) to them. Each key can be 
identified by the tuple (Group Number, Key Index). Keys 
are stored along with this tuple to identify them during the 
subsequent key discovery phase. 

To understand the procedure followed by nodes to derive 
their key rings, we consider a node u, and examine what it 
does. 

1) Node u generates the set K u = {Kgj ,Vj € T u }, 
and arranges it in ascending order of its index values, 
{Kq s , Kq } , ...}, with j 2 > j\. Let us call these values 
"Group Keys." If there are large number of tagged nodes then 
it will be expensive to compute the group key corresponding to 
tag nodes with large tag id's. So to minimize the computation, 
some fraction of group keys, uniformly distributed across the 
full range, can be computed offline and stored in the node 
before deployment. For example, if the number of tagged node 
is 1800, then 36 group keys (Ka j5g , Kc jlgg ■■) could be pre- 
stored, so that the average number of hash computations done 
by any node will be 25. 

2) In this step, node u generates \T U \ sets each containing 
k values in the range of 1 to M. These sets are generated 
using the PRNG, with T key u + 1, T key u + 2...T key u + \T U \ as 
the seed values. Let us call the elements of these sets "Key 
Indices." Since a node can generate a maximum of T key sets, 
so it will use T key seed values in the range T key u + 1 to 
T key (u +1). Further, nodes u and u + 1 will use different 
seed values since node u will use seed values in the range 
TkeyU + 1 to T key {u + 1), while node u + 1 will use values in 
the range Tk ey (u + 1) + 1 to T key (u + 2). In this way, all sets 
of key indices are generated independently, and hence the key 
rings are also generated independently. 

3) In this step, mapping of Key Indices to actual keys is 
done. Node u has \T U \ Group Keys and same number of Key 
Index sets. Node u will pair each Key Index set with a single 
Group Key. Pairs are formed by first arranging the group 
keys in ascending order of their indices, and the Group Key 
with the smallest index is paired up with the Key Index set 
generated using T key u + 1 as the seed value. From each pair, 
k tuples are formed, where the first element of the tuple is 
the Group Key and the second element is the Key Index of 
the set. For example, suppose T u = {2, 5}. If the Key Index 
Set produced using T key u + 1 is {1,9,10} and that using 
TkeyU + 2 is {11,91,56}, then following set of tuples is 
produced: 

K tup = {(K G2 ,1), (Ag 2 ,9), (K G2 ,W), (JCg.,11), 
(JTg.,91), (K G5 , 56)} 

Note that each tuple can be identified by (Group Number(j), 
Key Index). So even after the key Kg* is deleted from the 
memory of the node, tuples can be identified using the group 
number; for the above example, tuples can be identified by 
{(2, 1), (2, 9), (2, 10), (5, 11), (5, 91), (2, 56)}. This is impor- 
tant because during the key discovery phase, node will send 
it's node id (it) and the set T u , and from this information, 
other nodes should be able to identify the common keys. 

Final keys are obtained by concatenating the elements of 



the tuple and then hashing the resultant value. This procedure 
is also illustrated in Fig. Q] 

Our scheme requires nodes that are close to each other to 
be in the same group, nodes in the same group to sample keys 
from the same key pool and key pools selected by distinct 
groups to be disjoint. The procedure described above satisfies 
all our requirements. 

As soon as the key allocation phase is over, K r and the 
set K u should be deleted from memory, because given this 
information, an attacker may be able to generate all the keys 
in the network, and that will lead to compromise of all 
communication. 

(I is the least Group No. received by node u) 
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Fig. 1: Key Ring generation of node u 

4) Shared key discovery phase: In this phase, node u 
broadcasts its node id and the set T u . If node v is a neighbor of 
node u, then node v will receive the broadcast by node u. On 
receiving this broadcast packet, node v will fetch the set T u 
and then compare its elements with T v . If there is no matching 
element between the two sets, then there is no common key. 
If there are common elements between the two sets, then call 
the set of matching elements as T uv , T uv = T u n T v . Let us 
call an element of T uv as t uv . Now node v will find the index 
of the elements present in the set T uv , in sets T u and T v . What 
is done with the index is explained using the example below. 

For example, let T u = {1, 5, 9, 13} and T v = {1, 4, 13, 15}, 
so the set T uv = {1, 13}, and the index of these elements in 
set T u is 1 and 4, while in set T v it is 1 and 3. 

Now node v will generate k numbers for seed values 
T key u + 1, T key u + 4 and T key v + 1, T key v + 3 using the 
PRNG. Then it will compare the values produced from seed 
values T key u + 1 and T key v + 1, and also compare the values 
produced from the seed values T key u + 4 and T key v + 3. 

If any value matches, then the node u and v share a common 
key, and as mentioned earlier, the key is identified by the tuple 
(Group Number, Key Index). If multiple keys are found to be 
shared, then XOR of all the keys will be used as the common 
key. On following a similar procedure, node u can also find 
common keys with node v. 



IV. Design Parameters ensuring Connectivity 

After keys have been generated and discovered, the natural 
question which arises is: Can any two nodes exchange infor- 
mation securely? This question is addressed by considering 
the notion of the key graph and connectivity of the key graph. 

A node is represented by a vertex in the graph. There exists 
an edge between two vertices if the corresponding nodes share 
at least one common key, and lie in the coverage radius of each 
other. A graph formed in this way is called a "key graph." 
There are two properties of connectivity: local connectivity 
and global connectivity. Local connectivity of any node is the 
probability of sharing at least one key with the neighbor nodes, 
while global connectivity is the percentage of the nodes in the 
key graph that is reachable from any node. 

In this section, we are concerned with the problem of how 
to find the number of tagged and normal nodes such that the 
resulting key graph is connected. The problem of connectivity 
of the key graph can be broken down into followingthe three 
sub problems: 

• IntEr Group connectivity (IEG) — Since key pools are 
disjoint, so nodes belonging to two different groups will 
have zero probability of sharing a key. So, two groups 
can only be connected if there exist I nodes (I > 1), 
which belong to both the groups. As these common nodes 
sample keys from the key pools of both the groups, so 
these nodes are reachable from the nodes of both the 
groups; thus, these nodes act as "gateways." 
Now consider a graph in which a group is represented by 
a vertex, and there exists an edge between two vertices, 
if there exists at least one common node between two 
groups. In this graph, if all the vertices are reachable 
from any vertex, then the IEG property holds. We will 
use the results in [16] on AB random geometric graphs 
to find the minimum number of groups or tagged nodes 
required such that all the groups are connected. 
In [16], two kinds of nodes are considered: A type and B 
type. Two A type nodes can communicate via a B type 
node only. Let the graph formed in this way among A 
type nodes, be denoted as G(n, cn,r n ), where n is the 
number of A type nodes and an is the number of B type 
nodes. We apply this framework by taking type A nodes 
as tagged nodes, and type B nodes as normal nodes. 
Define M n as the largest nearest neighbor radius of the 
AB random geometric graph, i.e., the radius below which 
there exists at least one node with degree equal to zero. 
Then, [16] shows that lirrin^oo P(M n < r n ) = e _/3 for 

transmission radius (r„) equal to J l ° 9 ^l^ -- 
Also, the thereshold transmission radius of the nodes 
for which the graph G(n, cn, r n ) is connected with high 
probability as n — ► oo is given by Eqn. [4] 



2 + ( log(n/p) 
\ cnir 



(4) 



value of number of tagged nodes (n) required, for the 
given value of r n = Hr and total number of nodes to be 
deployed (N = n(l + c)), by substituting r n = Hr and 
c = N ~ n in Eqn. |4] If n* is the solution obtained and if 
Ti = [~n*~|, then the number of tagged nodes greater than 
Tj will satisfy IEG property. 

Tagged node-covered — Nodes which do not receive 
broadcasts will not be part of any group; so these nodes 
are isolated from rest of the network. The number of 
tagged nodes should be such that all the normal nodes 
are covered by broadcast from at least one tagged node. 
We will use the result from [15] to calculate the expected 
number of normal nodes not covered by any broadcast. 
It is given by Eqn. [5] 

E[N t ] = (N- n)e-^ {Hr)2 (5) 

where, A is the deployment area. To satisfy this property, 
E[Nt] should be less than 1. If n* is the solution of the 
equation E[N t ] = 1, and if T c = [n*~|, then the number 
of tagged nodes greater than T c will satisfy node-covered 
property. 

So, to satisfy both the node-covered property and and 
inter group connectivity, the number of tagged nodes is 
given by Eqn. [6] 



T > max{T c , Ti) 



(6) 



We will fix 0, which will translate to a target small 
probability of "graph isolated" groups. Then, we find the 



* IntrA Group connectivity (IAG) — All the nodes within 
a group should be reachable from any node in the 
key graph. We will ensure this by using expressions to 
calculate the keyring size in the EG scheme [6]. Since 
the number of nodes in a group has decreased, so less 
number of nodes will share the key pool. So, key pool 
size could be reduced, which, in turn, will reduce the 
requisite keyring size. 
If all the above mentioned requirements are met, then our 
objective of connectivity of the key graph is achieved, because 
all the nodes are reachable within a group, all the groups are 
reachable from any group and all the nodes are part of at least 
one group. 

V. Evaluation & Comparison 

We compare our proposed scheme with the scheme [13] 
which makes the stronger assumption of availability of ex- 
pected knowledge of positions of nodes, which our scheme 
does not. However our scheme makes another assumption: that 
there exists an interval (vulnerable time), after the deployment, 
during which attacker should not be able to extract the keys. 
It may be noted that in our scheme, keys are generated by 
nodes after they are deployed, while in [13], keys are loaded 
into nodes before deployment. Moreover, our scheme also has 
the features of random key distribution. So it is appropriate to 
compare the connectivity and resilience of our scheme with 
that of schemes which use random key pre distribution (RKD) 
schemes (for example, [6]) and a scheme like in [13], which 
uses RKD with the assumption of knowledge of expected 
locations of the nodes. We will also compare our scheme 



with LEAP+ in [10], which is also a post-deployment key 
generation scheme and considers the notion of vulnerable time. 
We will argue that our scheme leads to a smaller vulnerable 
time than that required by in LEAP+, and discuss a related 
trade-off. 

For the evaluation of our scheme, we use the following 
metrics. 

• Connectivity of the nodes in the key graph: local and 
global connectivity. 

« Resilience against node capture — This is the ratio of the 
number of links compromised to the total number of links 
formed. Links which are formed among the compromised 
nodes and the links which are between the compromised 
nodes and the noncompromised nodes are not taken into 
account while calculating the number of compromised 
links and the total links. 

• Memory requirement — As the sensor nodes are 
resource-constrained, so there is always the requirement 
of attaining high connectivity using minimum memory. 

> Vulnerable Time — It is the time interval after the 
deployment during which attacker should not be able to 
extract key material from the nodes, and before which all 
nodes should delete the key material from their memory. 
It is desirable to keep it as less as possible. 

Our simulations are done for the following values of pa- 
rameters. The number of tagged nodes is calculated using the 
analysis in the previous section. 

> Deployment region: 1000m x 1000m 

• Total number of nodes (N) is taken as 10000 

• Transmission radius of the node is taken as 40m 

• Hop Count (H) is taken as 1 

. T key = 2, 4, Keys per key pool M = 1000 

. Tagged nodes: T t = 1863, T c = 1794, T = 1863 

Also, simulations for the scheme [13] are done using the same 

set of values. 

A. Simulation Results - Connectivity 

1 ) Local Connectivity: Figure [2a] shows the plot of proba- 
bility of sharing at least one key between two neighbor nodes 
versus the key ring size of our scheme, scheme [13] and EG 
scheme. We have simulated our scheme for Tk ey = 2, 4. From 
the graph it is clear that our scheme performs better than or 
as well as the scheme [13]. For lower values of key ring size, 
Tkey = 2 should be chosen which gives better connectivity 
than that of the scheme [13], while for larger value of key 
ring sizes Tk ey = 4 should be chosen, which gives same 
connectivity as that of the scheme [13]. We have derived 
analytical expressions for the probability of sharing at least one 
key between two neighbor nodes, and the results match well 
with the simulated values as shown in Fig. [2b] The analytical 
expressions are not reported here due to lack of space. 

2) Global connectivity: For Tk ey = 2,4, Table [J gives the 
comparison of local connectivity with global connectivity of 
the nodes. As we can see from the last row of the table, there 
are small percentages (.08 and .12) of nodes which are isolated 



TABLE I: Local Vs Global Connectivity 



No. of Keys 


Local 


Global 


(Tkeyk) 


T-'key 






2 


4 


2 


4 


40 


0.29 


0.18 


99.63 


99.71 


60 


0.49 


0.35 


99.84 


99.92 


100 


0.69 


0.66 


99.88 


99.92 



even at large value of key ring size. This is because they do not 
receive broadcasts from any of the tagged nodes, and hence 
remain isolated from the network. 

However, an algorithm could be developed to tackle this 
problem of a small number of nodes not receiving broadcast 
from any tagged node. The simplest algorithm is as follows: 
All nodes which do not receive a broadcast from any tagged 
node send a packet containing their node id to the sink node, 
and broadcast it up to one hop. Nodes which receive this 
broadcast packet fetch the node id from the packet, and send 
a message to the sink node (authenticated and encrypted with 
their own key) containing the node id they received from the 
broadcast packet and their group id. The sink node samples 
keys from the group key pool of the neighbor nodes and 
communicates it to the uncovered node. 

B. Security Analysis 

The basic threat model that we have considered is as 
follows: If a node is captured, then all the keys contained 
in it are revealed to the adversary. To evaluate the resilience 
of our scheme, we consider that x nodes are compromised and 
they are distributed uniformly across the deployment region. 
Key ring size of any node is L = Tk ey k, where k is the 
key ring size per group. Total number of keys in the key 
pool is given by S = TM, where M is key pool size per 
group, and T is number of tagged nodes. If one node is 
captured, then the probability that a link between two non- 
captured nodes is compromised is at most |j. (This is a worst 
case value since links between non-captured nodes could be 
secured by multiple keys). |r. For x > 1 compromised nodes, 
the probability that a link is not compromised is at least 
(l — |0 ■ Then, the probability that a link is compromised is 
at most 1 — (l — |f) . While comparing this metric with other 
schemes, local connectivity (p) needs to be kept the same. 
Figure [3a] [3b] show a comparison of the resilience metric of 
our scheme with that of other schemes, at local connectivity 
p = 0.33 and p = 0.5. It shows that our scheme performs 
better than other schemes. We see that the fraction of links 
compromised due to node capture is very small compared to 
that in [13]. This is attributed to the fact that our scheme has 
small group size, which is equal to the total number of nodes 
falling in the transmission radius of the node. So when a node 
is compromised, it affects communication links of the groups 
it is part of, and these are very small in size; so the fraction of 
total links compromised is also very small. In [13], the group 
size is bigger, so the number of affected nodes is larger, and 
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so is the fraction of compromised links. However, it could 
be argued that in this scheme also the number of groups can 
be increased, simultaneously decreasing the number of nodes 
a group; but this requires expected locations to be known 
with more precision, with a corresponding increase in the 
complexity of deployment. 

C. Vulnerable Time 

Since in our scheme keys are computed after the nodes 
are deployed, so it is important to consider another threat, 
which is the vulnerable time during which the compromise of 
a single node can lead to compromise of whole network. We 
will compare our scheme with LEAP+, which also needs to 
address the issue of vulnerable time. Since we have shown 
that our scheme for (H = 1) performs better than the 



schemes using deployment knowledge, so we will compare 
the vulnerable time for H = 1 only. Vulnerable time required 
by our scheme for (H = 1) is just the time taken by all the 
tagged nodes to broadcast up to one hop or time taken by 
all the nodes to hear broadcast from all the neighbor tagged 
nodes; the latter constitute a fraction (.18) of the total number 
of nodes. In LEAP+ [10], it is the time taken by all the 
nodes to hear broadcast from all the neighbor nodes. Since 
the number retransmission attempts required by the node to 
transmit in any MAC protocol depends on the number of 
active neighbor nodes, so our scheme, which requires that 
nodes should hear from only neighbor tagged nodes which 
are only the fraction of total number nodes, requires less time, 
than what LEAP+ does. However, there is a trade off between 



performance achieved and the requirement of the vulnerable 
time, since LEAP+ acheives perfect resilience and connectivity 
while our scheme does not. Nevertheless, still our scheme is 
able to achieve better performance than the schemes which 
assumes predeployment knowledge of the nodes. 

D. Addition of New Nodes 

To add new nodes after the initial deployment, the base 
station or sink informs tagged nodes to broadcast their tag 
id's for the new nodes. Root key is stored in the new nodes 
before their deployment, using which they generate the keys. 
Key generation and shared key discovery procedure is same 
as described earlier. After the generation of the key ring they 
delete the root key. 

VI. Other Applications 

Apart from the main objective of key distribution, our 
scheme could be used for other applications as well. Tagged 
nodes could be considered as the virtual base stations (VBS) 
distributed all across the deployment region, and other nodes 
around them associated with them. If the main base station 
wants to convey a broadcast message only to some nodes lying 
in a certain region, then this could be accomplished by a single 
unicast message to the tagged node (assuming tagged nodes 
can identify their location) lying near that region and then that 
tagged node can broadcast that message with a flag indicating 
a "regional broadcast," so that receiving nodes check the hop 
count value before rebroadcasting the message. All the tagged 
nodes can maintain a group key which is known only to its 
group members; this will help secure delivery of the message. 

This scheme can also be used for group key management. In 
a distributed environment where all nodes cannot communicate 
directly with base station, tagged nodes can act as the virtual 
base stations. Such a scheme involving decentralization is 
proposed in [14]; however, in this scheme, cluster heads 
(tagged nodes) have larger transmission range than the cluster 
members (normal nodes), so that they can communicate di- 
rectly with sink nodes, and are less energy-constrained than 
the normal nodes. Another application could be the collection 
of data, where the nodes in the group sends their data to the 
VBS of their respective group, and then VBS creates a single 
packet and send it to BS. 

VII. Conclusion 

We have proposed a key distribution scheme, which does 
not assume node predeployment knowledge and also does 
not require nodes to be deployed in groups, still our scheme 
achieves better performance in terms of connectivity and 
security than the scheme [13] which take these assumptions. 
However our scheme assumes existence of vulnerable time, 
which is less than that of the LEAP+ [10], with tradeoff of 
connectivity and resilience. 



Our future work is to propose a way to allocate polynomial 
based keys [3], to make our scheme more robust against node 
capture attack. Another future work is to evaluate and compare 
the performance of our scheme for non-uniform deployments. 
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